Neutrino Exploit Kit via pseudoDarkleech HOPTO.ORG gate delivers CrypMic Ransomware

NOTES:

  • Today I captured traffic from the latest version of CrypMic ransomware. The ransomware was delivered via the pseudoDarkleech campaign.
  • The pseudoDarkleech campaign used the “hopto.org” gate to redirect to the Neutrino Exploit Kit (EK) landing page.
  • CrypMic continues to send its ransom notes over SSL port 443 in clear text.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-08-03-Neutrino-EK-2-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 83.217.27.178 – umattj.hopto.org – Redirect GATE
  • 138.201.210.155 – vaihdoskysymyksen.itsport.co.uk – Netrino EK
  • 193.111.140.100 – Port 443 – C2 Check-In – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://ccjlwb22w6c22p2k.onion.to
http://ccjlwb22w6c22p2k.onion.city

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Traffic  associated with the Neutrino exploit and CrypMic ransomware infection

 

Shown above: Injected script found on compromised site redirecting to “hopto.org” gate

 

Shown above: Extracted HTML file from packet 36 and saved as an .htm file. After using text editor to open, it shows script on “hopto.org” redirecting to the Neutrino EK landing page.

 

Shown above: CrypMic .TXT ransom note and De-Crypt instructions README.txt

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT: